LQ weekly security rep - Tue Mar 04th 2003
Mar 7th 2003
11 issues handled (LAW) php slocate sendmail mhc eterm tcpdump snort openssl tg3 squirrelmail im Mar 03rd 2003 2 issues handled (SANS) DHS/NIPC Advisory 03-004 Remote Sendmail Header Processing Vulnerability DHS/NIPC Advisory 03-003 Snort Buffer Overflow Vulnerability Mar 03rd 2003 43 of 55 issues handled (ISS) PHP-Nuke auth.php SQL injection phpBB auth.php script file disclosure MyGuestbook form.php HTML injection MyGuestbook authentication cookie unauthorized MyGuestbook user_modif.php allows attacker to Nuked-Klan cross-site scripting in Team, News, and Nuked-Klan information disclosure Webmin and Usermin session ID spoofing root access glFtpD username overwrite files moxftp FTP welcome banner buffer overflow GOsa PHP plugin variable file include SIRCD reverse DNS lookup buffer overflow glFtpD oneliners file modification could allow Wihphoto sendphoto.php file disclosure FreeBSD SYN cookie brute force attack Mambo Site Server MD5 hash session ID could allow QuickTime and Darwin Streaming Server parse_xml.cgi QuickTime and Darwin Streaming Server RTSP DESCRIBE QuickTime and Darwin Streaming Server MP3 Apache HTTP Server error log terminal escape Multiple vendor terminal emulator screen dump file Multiple vendor terminal emulator window title Multiple vendor terminal emulator DEC UDK denial of Multiple vendor terminal emulator menuBar ClarkConnect clarkconnectd daemon information Netscape Cascading Style-Sheet (CSS) overflow set CuteNews shownews.php, search.php, and comments.php VERITAS BMR for IBM TSM could allow root access to nCipher could import duplicate keys Apache HTTP Server MIME message boundaries Opera "Enable Automatic Redirection" option cross- AMX amx_say format string attack AMX transmits rcon password in plain text Ecartis password reset tcpdump ISAKMP parsing denial of service Invision Power Board ipchat.php file include Sun Solaris ftp -d plaintext password mhc-utils adb2mhc creates an insecure temporary WEB-ERP logicworks.ini unauthorized configuration PY-Livredor guest book field cross-site scripting (old, just in case someone noticed me skipping it) Feb 28th 2003 21 issues handled (LAW) slocate nanog tcpdump kde openssl WebTool snycookie webmin acupsd tightvnc vnc vte hypermail libmcrypt openldap mysql postgresql initscripts krb5 lynx shadow-utils |
Feb 28th 2003 (LAW)
Linux Advisory Watch
Package: slocate Date: 02-21-2003 Description: A problem has been discovered in slocate, a secure locate replacement. A buffer overflow in the setuid program slocate can be used to execute arbitrary code as superuser. Debian Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2880.html Package: nanog Date: 02-27-2003 Description: A vulnerability has been discovered in NANOG traceroute, an enhanced version of the Van Jacobson/BSD traceroute program. A buffer overflow occurs in the 'get_origin()' function. Due to insufficient bounds checking performed by the whois parser, it may be possible to corrupt memory on the system stack. This vulnerability can be exploited by a remote attacker to gain root privileges on a target host. Though, most probably not in Debian. Debian Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2906.html Package: tcpdump Date: 02-27-2003 Description: Andrew Griffiths and iDEFENSE Labs discovered a problem in tcpdump, a powerful tool for network monitoring and data acquisition. An attacker is able to send a specially crafted network packet which causes tcpdump to enter an infinite loop. Debian Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2909.html Package: kde Date: 02-20-2003 Description: This is a full update of the KDE desktop to the 3.0.5a version, the latest 3.0.x release from the KDE project[1]. Besides containing several bugfixes and enhancements, this update also fixes several security vulnerabilities[2] found during an internal code audit organized by the KDE team. Conectiva Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2879.html Package: openssl Date: 02-21-2003 Description: Vulnerable[2][3] openssl versions do not perform a MAC computation if an incorrect block cipher padding is used. An active attacker who can insert data into an existing encrypted connection is then able to measure time differences between the error messages the server sends. This information can make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext. Conectiva Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2893.html Debian Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2887.html FreeBSD Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2903.html SuSE Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2904.html Trustix Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2885.html Mandrake Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2896.html Package: WebTool Date: 02-21-2003 Description: Keigo Yamazaki discovered a vulnerability in miniserv.pl (the webserver program at the core of the WebTool) which may allow an attacker to spoof a session ID by including special metacharacters in the BASE64 encoded string using during the authentication process. This may allow a remote attacker to gain full administrative privileges over the WebTool. All users are recommended to upgrade immediately. EnGarde Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2898.html Package: snycookie Date: 02-24-2003 Description: Once a syncookie key has been recovered, an attacker may construct valid ISNs until the key is rotated (typically up to four seconds). The ability to construct a valid ISN may be used to spoof a TCP connection in exactly the same way as in the well-known ISN prediction attacks (see `References'). Spoofing may allow an attacker to bypass IP-based access control lists such as those implemented by tcp_wrappers and many firewalls. Similarly, SMTP and other connections may be forged, increasing the difficulty of tracing abusers. Recovery of a syncookie key will also allow the attacker to reset TCP connections initiated within the same 31.25ms window. FreeBSD Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2888.html Package: webmin Date: 02-22-2003 Description: Due to a remotely exploitable security hole being discovered that effects all previous Webmin releases, version 1.070 is now available for download. Gentoo Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2886.html http:http://www.linuxsecurity.com/advisor...sory-2890.html Mandrake Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2908.html Package: acupsd Date: 02-22-2003 Description: A remote root vulnerability in slave setups and some buffer overflows in the network information server code were discovered by the apcupsd developers. Gentoo Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2889.html Package: tightvnc Date: 02-24-2003 Description: The VNC server acts as an X server, but the script for starting it generates an MIT X cookie (which is used for X authentication) without using a strong enough random number generator. This could allow an attacker to be able to more easily guess the authentication cookie. Gentoo Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2891.html Package: vnc Date: 02-24-2003 Description: The VNC server acts as an X server, but the script for starting it generates an MIT X cookie (which is used for X authentication) without using a strong enough random number generator. This could allow an attacker to be able to more easily guess the authentication cookie. Gentoo Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2892.html Red Hat Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2894.html Mandrake Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2900.html Package: vte Date: 02-24-2003 Description: One feature that most terminal emulators support is the ability for the shell to set the title of the window using an escape sequence. Certain xterm variants also provide an escape sequence for reporting the current window title. This essentially takes the current title and places it directly on the command line. This feature could be potentially exploited if an attacker can cause carefully crafted escape sequences to be displayed on a vulnerable terminal emulator used by their victim. Red Hat Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2901.html Package: hypermail Date: 02-24-2003 Description: During an internal source code review done by Thomas Biege several bugs where found in hypermail and its tools. These bugs allow remote code execution, local tmp race conditions, denial-of-service conditions and read access to files belonging to the host hypermail is running on. Additionally the mail CGI program can be abused by spammers as email-relay and should thus be disabled. SuSE Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2905.html Package: libmcrypt Date: 02-26-2003 Description: Versions of libmcrypt prior to 2.5.5 include several buffer overflows that can be triggered by passing very long input to the mcrypt functions. SuSE Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2902.html Package: openldap Date: 02-20-2003 Description: Several minor security issues where fixed in the new upstream version 1.2.13 Trustix Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2882.html Package: mysql Date: 02-20-2003 Description: The new upstream version of mysql, 3.23.55, included several minor security fixes. Trustix Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2883.html Package: postgresql Date: 02-20-2003 Description: The new upstream version of postgresql, 7.1.3, included several minor security fixes. Trustix Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2884.html Package: initscripts Date: 02-20-2003 Description: A dependency loop exists between several package including initscripts, pam and SysVinit, that causes the installer to complaint. This update removes the loop, as it was not needed. Trustix Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2881.html Package: krb5 Date: 02-21-2003 Description: A vulnerability was discovered in the Kerberos FTP client. When the client retrieves a file that has a filename beginning with a pipe character, the FTP client will pass that filename to the command shell in a system() call. This could allow a malicious remote FTP server to write to files outside of the current directory or even execute arbitrary commands as the user using the FTP client. Mandrake Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2895.html Package: lynx Date: 02-21-2003 Description: A vulnerability was discovered in lynx, a text-mode web browser. The HTTP queries that lynx constructs are from arguments on the command line or the $WWW_HOME environment variable, but lynx does not properly sanitize special characters such as carriage returns or linefeeds. Extra headers can be inserted into the request because of this, which can cause scripts that use lynx to fetch data from the wrong site from servers that use virtual hosting. Mandrake Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2899.html Package: shadow-utils Date: 02-21-2003 Description: The shadow-utils package contains the tool useradd, which is used to create or update new user information. When useradd creates an account, it would create it with improper permissions; instead of having it owned by the group mail, it would be owned by the user's primary group. If this is a shared group (ie. "users"), then all members of the shared group would be able to obtain access to the mail spools of other members of the same group. A patch to useradd has been applied to correct this problem. Mandrake Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2907.html |
Mar 03rd 2003 (ISS)
Internet Security Systems
Date Reported: 02/18/2003 Brief Description: PHP-Nuke auth.php SQL injection Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Windows Any version, Unix Any version, PHP-Nuke 5.6, PHP-Nuke 6.0 Vulnerability: phpnuke-auth-sql-injection X-Force URL: http://www.iss.net/security_center/static/11385.php Date Reported: 02/18/2003 Brief Description: phpBB auth.php script file disclosure Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Windows Any version, Unix Any version, phpBB 1.4.x Vulnerability: phpbb-auth-read-files X-Force URL: http://www.iss.net/security_center/static/11407.php Date Reported: 02/21/2003 Brief Description: MyGuestbook form.php HTML injection Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Windows Any version, Unix Any version, MyGuestbook 3.0 Vulnerability: myguestbook-form-html-injection X-Force URL: http://www.iss.net/security_center/static/11391.php Date Reported: 02/21/2003 Brief Description: MyGuestbook authentication cookie unauthorized access Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Windows Any version, Unix Any version, MyGuestbook 3.0 Vulnerability: myguestbook-cookie-unauth-access X-Force URL: http://www.iss.net/security_center/static/11392.php Date Reported: 02/21/2003 Brief Description: MyGuestbook user_modif.php allows attacker to modify data Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Windows Any version, Unix Any version, MyGuestbook 3.0 Vulnerability: myguestbook-usermodif-modify-data X-Force URL: http://www.iss.net/security_center/static/11393.php Date Reported: 02/21/2003 Brief Description: Nuked-Klan cross-site scripting in Team, News, and Liens modules Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Windows Any version, Unix Any version, Nuked-Klan b1.3 and earlier Vulnerability: nuked-klan-team-xss X-Force URL: http://www.iss.net/security_center/static/11420.php Date Reported: 02/21/2003 Brief Description: Nuked-Klan information disclosure Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Windows Any version, Unix Any version, Nuked-Klan b1.3 and earlier Vulnerability: nukedklan-information-disclosure X-Force URL: http://www.iss.net/security_center/static/11424.php Date Reported: 02/22/2003 Brief Description: Webmin and Usermin session ID spoofing root access Risk Factor: High Attack Type: Network Based Platforms: Unix Any version, Mandrake Linux 7.2, Mandrake Linux 8.0, Mandrake Single Network Firewall 7.2, Mandrake Linux 8.1, Mandrake Linux 8.2, Gentoo Linux Any version, Mandrake Linux 9.0, Webmin prior to 1.070, Usermin prior to 1.000 Vulnerability: webmin-usermin-root-access X-Force URL: http://www.iss.net/security_center/static/11390.php Date Reported: 02/23/2003 Brief Description: glFtpD username overwrite files Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Solaris Any version, FreeBSD Any version, glFtpD 1.28 and earlier Vulnerability: glftpd-username-file-overwrite X-Force URL: http://www.iss.net/security_center/static/11396.php Date Reported: 02/23/2003 Brief Description: moxftp FTP welcome banner buffer overflow Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, FreeBSD Ports Collection Any version, moxftp 2.2 Vulnerability: moxftp-welcome-banner-bo X-Force URL: http://www.iss.net/security_center/static/11399.php Date Reported: 02/23/2003 Brief Description: GOsa PHP plugin variable file include Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Unix Any version, GOsa 1.0.0 Vulnerability: gosa-plugin-file-include X-Force URL: http://www.iss.net/security_center/static/11408.php Date Reported: 02/23/2003 Brief Description: SIRCD reverse DNS lookup buffer overflow Risk Factor: High Attack Type: Network Based Platforms: Linux Any version, Solaris Any version, Windows NT Any version, Windows 2000 Any version, FreeBSD Ports Collection Any version, SIRCD 0.4.0, SIRCD 0.4.4 Vulnerability: sircd-reverse-dns-bo X-Force URL: http://www.iss.net/security_center/static/11409.php Date Reported: 02/23/2003 Brief Description: glFtpD oneliners file modification could allow unauthorized root privileges Risk Factor: High Attack Type: Network Based Platforms: Linux Any version, Solaris Any version, FreeBSD Any version, glFtpD 1.28 and earlier Vulnerability: glftpd-oneliners-root-privileges X-Force URL: http://www.iss.net/security_center/static/11410.php Date Reported: 02/23/2003 Brief Description: Wihphoto sendphoto.php file disclosure Risk Factor: Medium Attack Type: Network Based Platforms: Unix Any version, Wihphoto 0.86-dev Vulnerability: wihphoto-sendphoto-file-disclosure X-Force URL: http://www.iss.net/security_center/static/11429.php Date Reported: 02/24/2003 Brief Description: FreeBSD SYN cookie brute force attack Risk Factor: Low Attack Type: Network Based Platforms: FreeBSD 4.7-STABLE, FreeBSD 5.0-RELEASE, FreeBSD 4.5-RELEASE, FreeBSD 4.6-RELEASE, FreeBSD 4.7- RELEASE Vulnerability: freebsd-syncookie-brute-force X-Force URL: http://www.iss.net/security_center/static/11397.php Date Reported: 02/24/2003 Brief Description: Mambo Site Server MD5 hash session ID could allow elevated privileges Risk Factor: High Attack Type: Network Based Platforms: lftpd Any version, Linux Any version, Solaris Any version, Windows Any version, Mac OS X Any version, Mambo Site Server 4.0.12 RC2 Vulnerability: mambo-sessionid-gain-privileges X-Force URL: http://www.iss.net/security_center/static/11398.php Date Reported: 02/24/2003 Brief Description: QuickTime and Darwin Streaming Server parse_xml.cgi command execution Risk Factor: High Attack Type: Network Based Platforms: Linux Any version, Solaris Any version, Windows Any version, Mac OS X Server 10.2, Mac OS X Server 10.2.1, Mac OS X Server 10.2.2, Mac OS X Server 10.2.3, QuickTime Streaming Server 4.1.1, Darwin Streaming Server 4.1.2 Vulnerability: quicktime-darwin-command-execution X-Force URL: http://www.iss.net/security_center/static/11401.php Date Reported: 02/24/2003 Brief Description: QuickTime and Darwin Streaming Server parse_xml.cgi path disclosure Risk Factor: Low Attack Type: Network Based Platforms: Linux Any version, Solaris Any version, Windows Any version, Mac OS X Server 10.2, Mac OS X Server 10.2.1, Mac OS X Server 10.2.2, Mac OS X Server 10.2.3, QuickTime Streaming Server 4.1.1, Darwin Streaming Server 4.1.2 Vulnerability: quicktime-darwin-path-disclosure X-Force URL: http://www.iss.net/security_center/static/11402.php Date Reported: 02/24/2003 Brief Description: QuickTime and Darwin Streaming Server parse_xml.cgi directory disclosure Risk Factor: Low Attack Type: Network Based Platforms: Linux Any version, Solaris Any version, Windows Any version, Mac OS X Server 10.2, Mac OS X Server 10.2.1, Mac OS X Server 10.2.2, Mac OS X Server 10.2.3, QuickTime Streaming Server 4.1.1, Darwin Streaming Server 4.1.2 Vulnerability: quicktime-darwin-directory-disclosure X-Force URL: http://www.iss.net/security_center/static/11403.php Date Reported: 02/24/2003 Brief Description: QuickTime and Darwin Streaming Server parse_xml.cgi cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Solaris Any version, Windows Any version, Mac OS X Server 10.2, Mac OS X Server 10.2.1, Mac OS X Server 10.2.2, Mac OS X Server 10.2.3, QuickTime Streaming Server 4.1.1, Darwin Streaming Server 4.1.2 Vulnerability: quicktime-darwin-parsexml-xss X-Force URL: http://www.iss.net/security_center/static/11404.php Date Reported: 02/24/2003 Brief Description: QuickTime and Darwin Streaming Server RTSP DESCRIBE cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Solaris Any version, Windows Any version, Mac OS X Server 10.2, Mac OS X Server 10.2.1, Mac OS X Server 10.2.2, Mac OS X Server 10.2.3, QuickTime Streaming Server 4.1.1, Darwin Streaming Server 4.1.2 Vulnerability: quicktime-darwin-describe-xss X-Force URL: http://www.iss.net/security_center/static/11405.php Date Reported: 02/24/2003 Brief Description: QuickTime and Darwin Streaming Server MP3 broadcasting buffer overflow Risk Factor: High Attack Type: Host Based / Network Based Platforms: Linux Any version, Solaris Any version, Windows Any version, Mac OS X Server 10.2, Mac OS X Server 10.2.1, Mac OS X Server 10.2.2, Mac OS X Server 10.2.3, QuickTime Streaming Server 4.1.1, Darwin Streaming Server 4.1.2 Vulnerability: quicktime-darwin-mp3-bo X-Force URL: http://www.iss.net/security_center/static/11406.php Date Reported: 02/24/2003 Brief Description: Apache HTTP Server error log terminal escape sequence injection Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Windows Any version, Unix Any version, Apache HTTP Server Any version Vulnerability: apache-esc-seq-injection X-Force URL: http://www.iss.net/security_center/static/11412.php Date Reported: 02/24/2003 Brief Description: Multiple vendor terminal emulator screen dump file overwrite Risk Factor: Medium Attack Type: Host Based / Network Based Platforms: BSD Any version, Linux Any version, Unix Any version, Eterm 0.9.1 and earlier, rxvt 2.7.8 Vulnerability: terminal-emulator-screen-dump X-Force URL: http://www.iss.net/security_center/static/11413.php Date Reported: 02/24/2003 Brief Description: Multiple vendor terminal emulator window title command execution Risk Factor: Medium Attack Type: Host Based / Network Based Platforms: BSD Any version, Linux Any version, Windows Any version, Unix Any version, Eterm 0.9.1 and earlier, rxvt 2.7.8, XFree86 4.2.0, dtterm Any version, uxterm Any version, aterm 0.4.2, PuTTY 0.53, gnome- terminal 2.0.2, hanterm-xf 2.0 Vulnerability: terminal-emulator-window-title X-Force URL: http://www.iss.net/security_center/static/11414.php Date Reported: 02/24/2003 Brief Description: Multiple vendor terminal emulator DEC UDK denial of service Risk Factor: Low Attack Type: Host Based / Network Based Platforms: Linux Any version, Unix Any version, XFree86 4.2.0, hanterm-xf 2.0 Vulnerability: terminal-emulator-dec-udk X-Force URL: http://www.iss.net/security_center/static/11415.php Date Reported: 02/24/2003 Brief Description: Multiple vendor terminal emulator menuBar modification command execution Risk Factor: Medium Attack Type: Host Based / Network Based Platforms: Linux Any version, Unix Any version, rxvt 2.7.8, aterm 0.4.2 Vulnerability: terminal-emulator-menu-modification X-Force URL: http://www.iss.net/security_center/static/11416.php Date Reported: 02/24/2003 Brief Description: ClarkConnect clarkconnectd daemon information disclosure Risk Factor: Medium Attack Type: Network Based Platforms: ClarkConnect 1.2, Linux Any version Vulnerability: clarkconnect-clarkconnectd-info-disclosure X-Force URL: http://www.iss.net/security_center/static/11419.php Date Reported: 02/24/2003 Brief Description: Netscape Cascading Style-Sheet (CSS) overflow set to scroll denial of service Risk Factor: Low Attack Type: Network Based Platforms: Linux Any version, Windows Any version, Unix Any version, Netscape 7.0, Netscape 6.0 Vulnerability: netscape-css-overflow-dos X-Force URL: http://www.iss.net/security_center/static/11433.php Date Reported: 02/25/2003 Brief Description: CuteNews shownews.php, search.php, and comments.php file include Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Windows Any version, Unix Any version, CuteNews .088 Vulnerability: cutenews-php-file-include X-Force URL: http://www.iss.net/security_center/static/11417.php Date Reported: 02/25/2003 Brief Description: VERITAS BMR for IBM TSM could allow root access to BMR Main Server Risk Factor: High Attack Type: Network Based Platforms: Windows NT Any version, AIX 4.2.1, Solaris 2.6, HP- UX 11.00, HP-UX 10.20, Solaris 7, AIX 4.3, AIX 4.3.2, Solaris 8, Windows 2000 Server, HP-UX 11.11, Windows 2000 Advanced Server, AIX 5.1, AIX 4.3.3, Windows 2000 Professional, AIX 4.3.1, VERITAS Bare Metal Restore for TSM 3.1.0, VERITAS Bare Metal Restore for TSM 3.1.1, VERITAS Bare Metal Restore for TSM 3.2.0, VERITAS Bare Metal Restore for TSM 3.2.1, AIX 4.3.3.10 Vulnerability: veritas-bmr-root-access X-Force URL: http://www.iss.net/security_center/static/11418.php Date Reported: 02/25/2003 Brief Description: nCipher could import duplicate keys Risk Factor: Medium Attack Type: Host Based / Network Based Platforms: Linux Any version, Windows NT 4.0, Solaris 2.6, HP- UX 11.00, HP-UX 10.20, Solaris 7, Windows 2000 Any version, AIX 4.3.3, AIX 5L, nCipher support software prior to 7.00 Vulnerability: ncipher-duplicate-keys X-Force URL: http://www.iss.net/security_center/static/11422.php Date Reported: 02/25/2003 Brief Description: Apache HTTP Server MIME message boundaries information disclosure Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Windows Any version, Unix Any version, OpenBSD 3.2, Apache HTTP Server 1.3.22 - 1.3.27 Vulnerability: apache-mime-information-disclosure X-Force URL: http://www.iss.net/security_center/static/11438.php Date Reported: 02/26/2003 Brief Description: Opera "Enable Automatic Redirection" option cross- site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Windows Any version, Opera 7.02, Opera 6.x Vulnerability: opera-automatic-redirection-xss X-Force URL: http://www.iss.net/security_center/static/11423.php Date Reported: 02/26/2003 Brief Description: AMX amx_say format string attack Risk Factor: High Attack Type: Network Based Platforms: Linux Any version, Windows Any version, AMX 0.9.2 and earlier Vulnerability: amx-amxsay-format-string X-Force URL: http://www.iss.net/security_center/static/11427.php Date Reported: 02/26/2003 Brief Description: AMX transmits rcon password in plain text Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Windows Any version, AMX 0.9.2 and earlier Vulnerability: amx-rcon-password-plaintext X-Force URL: http://www.iss.net/security_center/static/11428.php Date Reported: 02/27/2003 Brief Description: Ecartis password reset Risk Factor: Medium Attack Type: Host Based Platforms: Linux Any version, Unix Any version, Ecartis 1.0.0 Vulnerability: ecartis-password-reset X-Force URL: http://www.iss.net/security_center/static/11431.php Date Reported: 02/27/2003 Brief Description: tcpdump ISAKMP parsing denial of service Risk Factor: Low Attack Type: Network Based Platforms: Linux Any version, FreeBSD Any version, Debian Linux 3.0, tcpdump 3.7.1, tcpdump 3.6.3 Vulnerability: tcpdump-isakmp-dos X-Force URL: http://www.iss.net/security_center/static/11434.php Date Reported: 02/27/2003 Brief Description: Invision Power Board ipchat.php file include Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Windows Any version, Unix Any version, Invision Power Board 1.1.1 Vulnerability: invision-ipchat-file-include X-Force URL: http://www.iss.net/security_center/static/11435.php Date Reported: 02/27/2003 Brief Description: Sun Solaris ftp -d plaintext password Risk Factor: Medium Attack Type: Host Based Platforms: Solaris 2.6, Solaris 7, Solaris 8 Vulnerability: solaris-ftp-plaintext-password X-Force URL: http://www.iss.net/security_center/static/11436.php Date Reported: 02/28/2003 Brief Description: mhc-utils adb2mhc creates an insecure temporary directory Risk Factor: Medium Attack Type: Host Based Platforms: Debian Linux 3.0, mhc-utils Any version Vulnerability: mhc-adb2mhc-insecure-tmp X-Force URL: http://www.iss.net/security_center/static/11439.php Date Reported: 02/28/2003 Brief Description: WEB-ERP logicworks.ini unauthorized configuration access Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Unix Any version, Windows NT Any version, Windows 2000 Any version, Windows XP Any version, WEB-ERP 0.1.4 and prior Vulnerability: weberp-logicworks-ini-access X-Force URL: http://www.iss.net/security_center/static/11443.php Date Reported: 03/02/2003 Brief Description: PY-Livredor guest book field cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Windows Any version, Unix Any version, PY-Livredor 1.0 Vulnerability: pylivredor-guestbook-xss X-Force URL: http://www.iss.net/security_center/static/11448.php |
Mar 03rd 2003 (SANS Alert 2003-03-03)
SANS
DHS/NIPC Advisory 03-004 Remote Sendmail Header Processing Vulnerability Remote Sendmail Header Processing Vulnerability SUMMARY: The Department of Homeland Security (DHS), National Infrastructure Protection Center (NIPC) is issuing this advisory to heighten awareness of the recently discovered Remote Sendmail Header Processing Vulnerability (CAN-2002-1337). NIPC has been working closely with the industry on vulnerability awareness and information dissemination. The Remote Sendmail Header Processing Vulnerability allows local and remote users to gain almost complete control of a vulnerable Sendmail server. Attackers gain the ability to execute privileged commands using super-user (root) access/control. This vulnerability can be exploited through a simple e-mail message containing malicious code. Sendmail is the most commonly used Mail Transfer Agent and processes an estimated 50 to 75 percent of all Internet e-mail traffic. System administrators should be aware that many Sendmail servers are not typically shielded by perimeter defense applications. A successful attacker could install malicious code, run destructive programs and modify or delete files. Additionally, attackers may gain access to other systems thru a compromised Sendmail server, depending on local configurations. Sendmail versions 5.2 up to 8.12.8 are known to be vulnerable at this time. DESCRIPTION: The Remote Sendmail Header Processing Vulnerability is exploited during the processing and evaluation of e-mail header fields collected during an SMTP transaction. Examples of these header fields are the "To", "From" and "CC" lines. The crackaddr() function in the Sendmail headers.c file allows Sendmail to evaluate whether a supplied address or list of addresses contained in the header fields is valid. Sendmail uses a static buffer to store processed data. It detects when the static buffer becomes full and stops adding characters. However, Sendmail continues processing data and several security checks are used to ensure that characters are parsed correctly. The vulnerability allows a remote attacker to gain access to the Sendmail server by sending an e-mail containing a specially crafted address field which triggers a buffer overflow. RECOMMENDATION: Due to the seriousness of this vulnerability, the NIPC is strongly recommending that system administrators who employ Sendmail take this opportunity to review the security of their Sendmail software and to either upgrade to Sendmail 8.12.8 or apply the appropriate patch for older versions as soon as possible. Patches for the vulnerability are available from Sendmail, from ISS who discovered the vulnerability and from vendors whose applications incorporate Sendmail code, including IBM, HP, SUN, Apple and SGI. Other vendors will release patches in the near future. The primary distribution site for Sendmail is: http://www.sendmail.org Patches and information are also available from the following sites: The ISS Download center http://www.iss.net/download IBM Corporation http://www.ibm.com/support/us/ Hewlett-Packard , Co. http://www.hp.com Silicon Graphics Inc. http://www.sgigate.sgi.com Apple Computer, Inc. http://www.apple.com/ Sun Microsystems, Inc. http://www.sun.com/service/support/ Common Vulnerabilities and Exposure (CVE) Project http://CVE.mitre.org As always, computer users are advised to keep their anti-virus and systems software current by checking their vendor's web sites frequently for new updates and to check for alerts put out by the DHS/NIPC, CERT/CC, ISS and other cognizant organizations. The DHS/NIPC encourages recipients of this advisory to report computer intrusions to their local FBI office (http://www.fbi.gov/contact/fo/fo.htm) and other appropriate authorities. Recipients may report incidents online to http://www.nipc.gov/incident/cirr.htm. The DHS/NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch@fbi.gov. DHS/NIPC Advisory 03-003 Snort Buffer Overflow Vulnerability The Department of Homeland Security (DHS), National Infrastructure Protection Center (NIPC) has been informed of a recently discovered serious vulnerability in Snort, a widely used Intrusion Detection System, IDS. DHS/NIPC has been working closely with the Internet security industry on vulnerability awareness and is issuing this advisory in conjunction with public announcements. Snort is available in open source and commercial versions form Sourcefire, a privately held company headquartered in Columbia, MD. Details are available from Sourcefire. See Snort Vulnerability Advisory [SNORT-2003-001]. The affected Snort versions include all version of Snort from version 1.8 through current. Snort 1.9.1 has been released to resolve this issue. The vulnerability was discovered by Internet Security Systems (ISS), and is a buffer overflow in the Snort Remote Procedure Call, RPC, normalization routines. This buffer overflow can cause snort to execute arbitrary code embedded within sniffed network packets. Depending upon the particular implementation of Snort this may give local and remote users almost complete control of a vulnerable machine. The vulnerability is enabled by default. Mitigation instructions for immediate protections prior to installing patches or upgrading are described in the Snort Vulnerability Advisory. Due to the seriousness of this vulnerability, the DHS/NIPC strongly recommends that system administrators or security managers who employ Snort take this opportunity to review their security procedures and patch or upgrade software with known vulnerabilities. Sourcefire has acquired additional bandwidth and hosting to aid users wishing to upgrade their Snort implementation. Future information can be found at: http://www.sourcefire.com/ As always, computer users are advised to keep their anti-virus and systems software current by checking their vendor's web sites frequently for new updates and to check for alerts put out by the DHS/NIPC, CERT/CC, ISS and other cognizant organizations. The DHS/NIPC encourages recipients of this advisory to report computer intrusions to their local FBI office (http://www.fbi.gov/contact/fo/fo.htm) and other appropriate authorities. Recipients may report incidents online to http://www.nipc.gov/incident/cirr.htm. The DHS/NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch@fbi.gov. |
Mar 7th 2003 (LAW)
Linux Advisory Watch
Package: php Date: 03-04-2003 Description: Two vulnerabilities exists in the mail() PHP function. The first one allows execution of any program/script, bypassing the safe_mode restriction. The second one may allow an open-relay if the mail() function is not carefully used in PHP scripts. Caldera Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2931.html Package: slocate Date: 03-06-2003 Description: The proper solution is to install the latest packages. Many customers find it easier to use the Caldera System Updater, called cupdate (or kcupdate under the KDE environment), to update these packages rather than downloading and installing them by hand. Caldera Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2931.html Package: sendmail Date: 03-03-2003 Description: This vulnerability can be exploited by creating and sending to a vulnerable sendmail server a carefully crafted email message. This message will trigger the vulnerability and arbitrary commands can be executed with administrative privileges. Conectiva Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2913.html Debian Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2918.html http:http://www.linuxsecurity.com/advisor...sory-2932.html FreeBSD Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2919.html http:http://www.linuxsecurity.com/advisor...sory-2930.html Gentoo Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2920.html Mandrake Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2916.html NetBSD Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2922.html Red Hat Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2914.html Slackware Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2923.html SuSE Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2915.html YellowDog Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2935.html Package: mhc Date: 02-28-2003 Description: It has been discovered that adb2mhc from the mhc-utils package. The default temporary directory uses a predictable name. This adds a vulnerability that allows a local attacker to overwrite arbitrary files the users has write permissions for. Debian Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2910.html Package: eterm Date: 03-03-2003 Description: Many of the features supported by popular terminal emulator software can be abused when un-trusted data is displayed on the screen. The impact of this abuse can range from annoying screen garbage to a complete system compromise. All of the issues below are actually documented features, anyone who takes the time to read over the man pages or source code could use them to carry out an attack. Gentoo Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2911.html http:http://www.linuxsecurity.com/advisor...sory-2912.html Package: tcpdump Date: 03-05-2003 Description: A vulnerability exists in the parsing of ISAKMP packets (UDP port 500) that allows an attacker to force TCPDUMP into an infinite loop upon receipt of a specially crafted packet. Gentoo Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2933.html Mandrake Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2917.html Package: snort Date: 03-06-2003 Description: Remote attackers may exploit the buffer overflow condition to run arbitrary code on a Snort sensor with the privileges of the Snort IDS process, which typically runs as the superuser. The vulnerable preprocessor is enabled by default. It is not necessary to establish an actual connection to a RPC portmapper service to exploit this vulnerability. Gentoo Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2936.html Package: openssl Date: 03-06-2003 Description: Block cipher padding errors and MAC verification errors were handled differently in the SSL/TLS parts of the OpenSSL library. This leaks information in the case of incorrect SSL streams and allows for an adaptive timing attack. NetBSD Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2921.html Red Hat Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2939.html Package: tg3 Date: 03-03-2003 Description: Updated kernel packages for Red Hat Linux 7.1, 7.2, 7.3, and 8.0 are now available that fix a deadlock with the tg3 driver on certain revisions of the Broadcom 570x gigabit ethernet series. Red Hat Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2934.html Package: squirrelmail Date: 03-06-2003 Description: SquirrelMail is a webmail package written in PHP. Two vulnerabilities have been found that affect versions of SquirrelMail shipped with Red Hat Linux 8.0. Red Hat Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2937.html Package: im Date: 03-06-2003 Description: A vulnerability has been discovered by Tatsuya Kinoshita in the way two IM utilities create temporary files. By anticipating the names used to create files and directories stored in /tmp, it may be possible for a local attacker to corrupt or modify data as another user. Red Hat Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2938.html |
All times are GMT -5. The time now is 03:28 PM. |